Bug 1362661

Summary: NMI watchdog: BUG: soft lockup - for iptables-restore for openshift master/node
Product: OpenShift Container Platform Reporter: Elvir Kuric <ekuric>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Status: CLOSED DUPLICATE QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: high    
Version: 3.3.0CC: aos-bugs, bbennett, danw, dcbw, ekuric, fwestpha, iptables-maint-list, jeder, mifiedle, perfbz, pvrabec, rkhan, tstclair, twiest, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-03 16:56:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1303130    

Comment 12 Thomas Woerner 2016-09-02 13:46:31 UTC 
Can you give information about the firewall rule set that is already in place and the changes that will be added?

A firewall dump with iptables-save would show the current rules set. The restore files seem to be placed in /tmp. From the the example in comment 6 there are these iptables-restore calls:

iptables-restore --noflush --counters /tmp/kube-temp-iptables-restore-247982443 

One these files altogether with the rules set before the iptables-restore call would help to understand what is going on here. Please select one of the files, where the restore takes a lot of time.

As there does not seem to be a change in the IPv6 rules, it might not be needed to add them also.
Comment 13 Dan Williams 2016-09-15 22:08:02 UTC 
*** Bug 1372824 has been marked as a duplicate of this bug. ***
Comment 14 Florian Westphal 2016-11-30 17:58:09 UTC 
http://patchwork.ozlabs.org/patch/697722/

... might provide some speedup.
Note that I can't backport to rhel since this isn't upstream yet.